itlawwikiaorg-20200214-history
Social engineering
Definitions Social engineering Overview It refers to techniques designed to fool human beings into providing information or taking an action which leads to the subsequent breach in information systems security. The term is intended to make a distinction from computer engineering or software engineering, in that social engineering uniquely attacks the human component of an information system. Humans are a weak link in the security chain, and this concept has been exploited by criminals in both the physical and cyber worlds. Email, web browser, and instant messaging (IM) applications are some of the more commonly used communications channels for delivering social engineering attacks. How it works There are five steps to ensure a successful social engineering attack.Bruce Schneier, Secrets and Lies: Digital Security in a Networked World (2000). First, the individual or target is chosen and all relevant information concerning that target is collected. Such information can include job advertisements, published reports, company brochures and any other publicly-available information, with the aim of gathering enough to heighten the perceived legitimacy of the attack. Social engineering can be performed through many means, including analog (e.g., conversations conducted in person or over the telephone) and digital (e.g., e-mail, instant messaging). One form of digital social engineering is known as phishing, where attackers attempt to steal information such as credit card numbers, Social Security numbers, user IDs, and passwords. Social networking websites can reveal a large amount of personal information, including resumes, home addresses, telephone numbers, employment information, work locations, family members, education, photos, and private information. Social media websites may share more personal information than users expect or need to keep in touch. Examples of social engineering include telephoning the IT help desk and pretending to be an employee and asking for your password to be reset in order to gain unauthorized access to an employee's computer account and the network; or sending an e-mail impersonating a victim's bank in order to get the victim to click on a phishing URL and provide their bank account password into the fake attacker-controlled website. Social engineering may be used to target specific high-value individuals or groups in the organization, such as executives, or may have a broad target set. Specific targets may be identified when the organization knows of an existing threat or feels that the loss of information from a person or specific group of persons could have a significant impact. Second, the collected information is then analyzed and a vulnerability, which can be used to reach an objective, is determined. Third, access to the individual is then established. After this preliminary work has been completed, then the attack can take place. Finally, once the attack is completed all evidence of the attack can be destroyed. Countermeasures consist of three steps that work in tandem: protection, detection and reaction.Id. Since protection can never be guaranteed, a greater emphasis should be placed on detection and reaction. This should increase the chances that an organization will know when a security breach has taken place and how to address the threat. References See also * Avoiding Social Engineering and Phishing Attacks * Email social engineering attack * Instant messaging attack * Social engineering awareness * Web client attack External resources * "The Threat of Social Engineering and Your Defense Against It" (full-text). Category:Security Category:Cybercrime Category:Definition